12
Before sending any request to the server, browsers automatically send a request of the type OPTIONS to know some server information
What information does the server need to send? Only CORS headers?
Should this information be sent only in these requests or in the others as well? (for compatibility with older browsers or something)
These requests need to be authenticated?
I found that question where it says only a phrase not very specific to what should be returned
7
The Method OPTIONS is a method HTTP, which is used to find out which request options are allowed for certain server resources, so this request is made before the others, to find out which permissions you accept.
In this request, the server returns a list of headers, containing some data, but can also return an error if it has no request for the resources.
This can be done in two ways, the first is by specifying a URL in the request for a specific analysis:
OPTIONS /index.html HTTP/1.1
The other way is to asterisk (*), which refers to resources as a whole:
OPTIONS * HTTP/1.1
This request is initially made to find out the permissions offered for the resources, so you can use the other requests without returning an error.
For a simple request, you can use the CURL, to send this confirmation request, for example:
curl -X OPTIONS http://index.html -i
In this request, by default, if there are fields allowed, the server will return a header of the type Allow, which indicates which methods you accept and have request permission, but return the data only as information:
HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Thu, 13 Oct 2016 11:45:00 GMT
Expires: Thu, 20 Oct 2016 11:45:00 GMT
Server: EOS (lax004/2813)
x-ec-custom-error: 1
Content-Length: 0
If no requests are allowed, the server will return an empty header, which may occur temporarily for some resource.
The information of OPTIONS, are made only in this request, to indicate which methods you accept to do. It is not used for sending confirmation.
It is a specification used to set resource exchanges between browser and server, securely, not allowing scripts to cross-source requests.
A requisition, made with CORS, is used to know if the server allows a specific request type, informing the parameters to be analyzed, ie a "custom" permission check for the server.
Here, has a list of headers
CORSthat can be used in a request.
An example, a request is created to know if a specific request you use POST and has custom headers is accepted. Headers are used Access-Control-Request-Method, to the POST and the Access-Control-Request-Headers, for the custom headers:
OPTIONS /resources/post-here/ HTTP/1.1
Host: bar.other
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Origin: http://foo.example
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER, Content-Type
From this "custom" request, the server analyzes and, if allowed, returns with the headers, informing if the headers of the specific fields informed may be requested. That answer is similar to an answer Allow.
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 01:15:39 GMT
Server: Apache/2.0.61 (Unix)
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
Access-Control-Max-Age: 86400
Vary: Accept-Encoding, Origin
Content-Encoding: gzip
Content-Length: 0
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/plain
The mechanism CORS, supports secure cross-source requests, which are requests with origin (domain, protocol, and port) different from their own origin. With this, the request passes through the authentication made by the server and returns the result, to request a cross request.
In a request with CORS, the browser makes a request, where specific headers are passed, for example a header Access-Control-Request-Method, that will require methods that are allowed and the server will respond with Access-Control-Allow-Methods, that is, the browser requests a confirmation, the server responds with a header, stating what is allowed and with the return, the browser checks the returned data, if compatible, the browser will release the cross request, between different domains.
All browsers have basic support for this type of request, both mobile and desktop browsers:
Browser other questions tagged http http-methods
You are not signed in. Login or sign up in order to post.
It seems to me that your answer explains what the
OPTIONSbut does not explain exactly what should be returned in this type of request, by his reply, I understood that in this type of request only need to return the headerAllow, nothing else, is that correct?. In practice what is the difference betweenAllowandAccess-Control-Allow-Methods?– Costamilam
That question "This information should be sent only in these requests or in the other?" refers to requests of the type
OPTIONSand not to CORS– Costamilam
@Guilhermecostamilam made some changes to the text
– Gabriel Gonçalves
In the links you passed is written "Responses to the OPTIONS method are not cacheable", if the answer cannot be cached because, in your example, you have cached?
– Costamilam
@Guilhermecostamilam really, it is not "cacheable". Only that this type of request, brings what is released and what can be used. The example, came from the MDN site itself. It is so much that if you use the cmd
curl -X OPTIONS https://developer.mozilla.org -i, pointing to their website, will also return a header with similar information.– Gabriel Gonçalves